[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Server hacked - next...?

Top-posting... but please forgive.

The box is a very recently updated "stable" box... virtually every other
date apt-get is update/upgrade.

The box is setup very secure... the usual things were done... like
ensuring no unused services are running and things like that.

So does that mean "stable" is actually vulnerable to something we all
don't know about???

----- Original Message ----- 
From: "Russell Coker" <russell@coker.com.au>
To: "Jason Lim" <maillist@jasonlim.com>; <debian-isp@lists.debian.org>
Sent: Sunday, 29 June, 2003 1:49 PM
Subject: Re: Server hacked - next...?

On Sun, 29 Jun 2003 15:00, Jason Lim wrote:
> One of our servers was hacked (woody)... badly, from what I can see. A

>From the ps output it appears that the hack originated from the web server
a CGI-BIN script it ran.

As they ran modprobe I guess they got root.  :(

The recommended method is to backup configuration files and data and
the machine from scratch.

Fighting off a hacker who is already in your machine as root is difficult.
Doing it properly is more difficult than preventing them cracking your
machine in the first place.

Best to reinstall.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: